At 12:44 PM +0100 3/11/09, <pasi.ero...@nokia.com> wrote: >Vijay Devarapalli wrote: > >> I don't agree with the restriction that the original gateway and the >> new gateway should have the same IDr. That is too restrictive. For >> example, it should be possible for gw1 to redirect the client to >> gw2, with the two gateways having two distinct FQDNs. > >Right... but if the client does not have a PAD entry for gw2's IDr, >then the IKE negotiation will fail. (I guess we're not considering >updating the PAD based on REDIRECTs.)
Co-chair-hat on: Right, we are not considering that currently. If we do consider it, it is a significant change to the document and we would want to do (at least) another WG last call. Co-chair-hat off: Right, and we should not consider that, given the difficulty of bounding the security considerations if we do so. --Paul Hoffman, Director --VPN Consortium _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec